How to become a malware analyst
Uncover the dark, sticky details of malware, ransomware and other nasties that reside one unguarded click away. On today's episode, Danny Jenkins, CEO and Co-Founder of ThreatLocker®, talks about some of the ways these ever-evolving malware types can ruin your digital life, the nuts and bolts of malware analysis, and why your CISO should be "annoying you if they're doing their job."
Danny Jenkins is a technical guru with a deep understanding of corporate IT and cybersecurity. He has an entrepreneurial background and two decades of experience in building and securing corporate networks. Before taking the reins at ThreatLocker, Danny held CEO and CTO positions at multiple IT companies and founded a few cybersecurity businesses of his own.
[00:01.0] CS: It’s a celebration here in the studio, because the Cyber Work with Infosec Podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a best cybersecurity podcast gold medal in our category. We’re celebrating, but we’re giving all of you the gift.
We’re once again giving away a free month of our Infosec skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments. To take advantage of this special offer for Cyber Work listeners, head over to Infosecinstitute.com/skills, or click the link in the description below, sign up for an individual subscription as you normally would, then in the coupon box type the word ‘cyberwork’. C-Y-B-E-R-W-O-R-K. No spaces, no capital letters and just like magic, you can claim your free month.
Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week. Enough of that. Let’s begin the episode.
[01:04.3] CS: Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.
It’s been a while since we talked about ransomware last and it’s toxic growth online in the last couple years. Even as tools and technologies improve to keep malware out of our computers, social engineering and other manipulative techniques still get people to click the link, open the doc, or otherwise do things that they should know better to do in these situations.
Our guest today, Danny Jenkins, said he wanted to talk about ransomware and quote the ways your favorite apps could be weaponized against you. We’re going to talk about that. We’re going to talk about some tips for mediating if you do get hit, as well as getting your foot in the door as a malware analyst.
Danny Jenkins is a technical guru with deep understanding of corporate IT and cybersecurity. He has an entrepreneurial background and two decades of experience in building and securing corporate networks. Before taking the reins at ThreatLocker, Danny held CEO and CTO positions at multiple IT companies and founded a few cybersecurity businesses of his own. Danny, welcome to Cyber Work today.
[02:12.2] DJ: Chris. Thank you for having me.
[02:14.3] CS: We always like to start the show to warm things up by getting a sense of your own background and personal story, your origin story, if you will. Let’s start with that. How and when did you first get involved in computers and tech? Was this something you’ve been interested in since childhood? When did you specifically get interested in the security aspects of things?
[02:33.3] DJ: As I guess a child, tech wasn’t too much around. I grew up in the 90s and when I was at school, we had Windows 3.1 on our computers and floppy disk drives. I guess, what drove me to tech was not a tech class, because there was no tech classes back then, but more of a business studies class, because we use computers in business studies. While I was at school, I had a lot of trouble with some of the students and my way of getting secret revenge was to write batch files in those days to delete their work. That was my introduction to tech as a 15-year-old and growing up in the UK in the public school system.
[03:13.5] CS: Okay. When did you specifically get interested in the security side of things?
[03:19.0] DJ: It organically evolved. I started work very – I took the non-traditional approach of not going to college and I left high school. It wasn’t high school in the UK. My GCSEs and left at 16 and went into an apprentice role in doing MSP work, small business support going out fixing the VEL servers and things like that.
By the time I was 20, I was working at a large multinational company and I somehow found myself in the corporate headquarters with a very small IT department, for where the organization had a 150 different sites, probably 10 or 15 different autonomous IT departments. The only role of the corporate headquarters was to figure out what’s important corporately.
As they didn’t really choose what apps they ran, or what systems they ran across the globe, it really became a security topic. It really became, we’re all talking together. Every time somebody gets a piece of malware, it spreads across our entire network. Malware wasn’t so bad back then. It wasn’t ransomware. It didn’t cripple you and bring you to your knees. It was more about –
[04:26.9] CS: What year are we talking here?
[04:28.7] DJ: I started there in 2002 and I was there for five years.
[04:35.1] CS: I remember getting wumped by a piece of malware around that time and it wasn’t great.
[04:38.8] DJ: Yeah. But it wasn’t your files are encrypted and your businesses have.
[04:41.9] CS: Right. Right. Yeah, and I remember getting hit with one in 07, where they just torched my entire computer. They couldn’t even reboot it. Yeah, it’s scary. Definitely gets heavier.
[04:54.7] DJ: Back then it was IT and then became IT security. It wasn’t cyber security as such. It was how do we secure IT? A lot of it was about putting perimeter firewalls in place, putting antivirus. Then we saw the evolution of personal firewalls when blaster came out in 2002 and malware went across 4,000 worldwide inside the global network. We ended up setting very hard policies then and what seemed to be hard policies then. Now when you look back at them you think, wow, we allowed zip files through e-mail. It’s that’s crazy. That’s my introduction to security in that.
[05:34.5] CS: Okay. Yeah, so can you – from there, can you – let’s go to the next step. You started out in this loose umbrella organization of security checkpoints and stuff, but obviously there’s a big jump between what you were doing there and moving up to CTO and infrastructure manager and so forth, so as you started out configuring networks for small businesses. What were some of the major stepping stones where you went from this area of knowledge and then you got this much higher and this much higher? What were some of the transformative things in your career that got you to where you are now where you’re starting your own companies and so forth?
[06:16.2] DJ: Yeah. When I was 23, 24, 25, I can’t remember the age now, one of the big challenges we had in that organization was malware and most of it was through e-mail. It was a constant challenge. It seems we would buy a firewall and that firewall would stay there and we wouldn’t change it. We’d buy an antivirus and we stopped and stuck with the antivirus. E-mails seem to be a constant challenge for the business and how could we stop malware and spam, which was obviously the birth of spam back then as well coming into the network. We kept buying products and we kept going up to the CFO asking for more money and why? Why you just spent this much money. It didn’t work.
From there, I decided I wanted to solve this problem and the logical except for me was I don’t think this should be a business issue. This should be a technology issue. If I was running a technology company, I could have the front-end to do whatever I wanted and then the back-end, we could change and evolve.
I started a company called MX Suite, which was an e-mail security company. The idea was to move e-mail security into the cloud, which everyone looked at me like I had two heads then. What if my quarantine is if something gets good, it gets quarantined and it’s stuck in the cloud? That was the mentality then and to make it a subscribeable solution.
I started that company as a CEO. I became the CTO as we took investment and we grow. We grew pretty fast and that company, I exited that company to the investors and that later became, I think Fuse Mail, which is now Viper. I think the product’s still going somewhere and that’s 10, 15 years later.
[08:08.8] CS: That’s a nice legacy.
[08:12.1] DJ: From there, when I exited that company, I got very involved in some government stuff, some large infrastructure stuff. It was the title, it wasn’t even CISO, but as a security advisor, an advisor for many large technology companies. I helped try and secure environments. In addition to that, I also worked on a lot of recovery, so ransomware recoveries. It probably came actually after the next business more, but a lot of breach recoveries, breach detection and figuring what happens
One of the things we always saw throughout my 20 years I guess in IT now, I’m getting more than 20 years in IT, is it always seems to be malware. It’s always whether it’s somebody opening an e-mail attachment, or whether it’s something pushing out, like wannacry did in 2017, or blaster, it always seems to be malware that’s the pain point for everybody.
[09:03.8] CS: Okay. Well, let’s jump right into that. Our topic today specifically is ransomware, but malware in general. We’ve spoken about malware and ransomware on past episodes. We had a great episode a while back. We might re-release it with Christiaan Beek of McAfee, who we also talked about the NoMoreRansom organization.
Certainly as you say, malware and ransomware aren’t going away anytime soon and they’re always staying one step ahead of cybersecurity experts and counter malware methods and so forth. We’re always putting new malware of the week up on our on our infosec resources site and all sorts of crazy things, gap jumping and all these new technologies that get added to things.
What is the state of ransomware at the moment? Do you think it’s gone down, stayed up, stayed the same in the age of COVID-19 and people being in decentralized locations and working from home and things like that? Does that make people more or less susceptible, do you think?
[10:06.0] DJ: I know, unfortunately it’s gone up to an extreme level and probably the highest jump we’ve seen in the last three years has happened in the last three months. That stems from various things. One is the perimeter is now gone. Whereas, it was nearly gone before, but the people who were outside of the perimeter tend to be more technical savvy, sales guys who use laptops and used to dealing with technology and the threats.
Now we’ve taken call centers outside of the perimeter. We’ve taken people who are paid lower salaries outside of the perimeter. They’ve lost all of their perimeter security and we’ve seen massive amounts of increase in things coming through, but more importantly, things being executed.
The other huge contributing factor is nobody knows what the norm is anymore. Nobody knows, is it normal to get an e-mail from my CEO asking me to open something? Because normally, the CEO or the call center manager was sitting across away from us. Now when people are at home, they’re not necessarily the most tech savvy people. They get these e-mails, asks if you want to enable this macro, do you want to click this file to download this file? “Oh, you need to update Adobe to get access to this site. I’m clicking update Adobe and it’s not actually Adobe.”
We’re seeing more and more people get tricked into doing things that they wouldn’t traditionally do. In addition to that, we’re also seeing more and more of those good applications used. The latest example of course is virtual box, where people are sending out portable virtual boxes, which aren’t malware, so to speak. When a user opens those boxes, virtual boxes, which is the application is signed by Oracle, it’s a legitimate application, it opens and it spins up a malicious virtual machine inside your environment. We’re seeing a whole load of new attack vectors that are coming in in terms of people using those legitimate applications. Then being able to bypass things, because we’re on a Zoom conversation now, if I send you a link over Zoom, we’ve just bypassed all our corporate security.
[12:10.5] CS: Right. Yeah, now tell me a little more about that virtual box. I don’t really know. What people within the company would be getting something like that that they’d have to open up and then make themselves potentially vulnerable?
[12:24.8] DJ: It’s not specifically targeted at individuals and that obviously people who aren’t used to – who are less technical savvy are more vulnerable. The way we’ve seen it come in is a few different ways. We’ve seen the traditional click on this link, you need to update your browser. Somebody clicks on the link, it downloads a file. They open it and it runs an exe. It spins up a virtual box in the background.
The most common one is what that will do is it’ll actually map your file, personal files, your folders to the virtual box. Then when it opens, it’s able to encrypt those files from inside the virtual box. Of course, your antivirus doesn’t see what’s inside the virtual box, so that makes it more difficult for it to detect what’s happening.
[13:07.6] CS: Basically kidnapped it to a third location or something.
[13:10.5] DJ: Yeah. That’s one way. Word documents are pretty common as well, people clicking on macros and saying, I want to, or they’re calling out powershells that – The user doesn’t know anything. They’ve opened a word document. They said you need to click, enable macros. For me obviously, it’s pretty easy for me to why would you enable macros?
There are so many security alerts. There are so many messages that pop up on your computer saying, “Are you sure? Are you sure? Are you sure?” Nobody really knows what they all mean, so they just keep clicking, unless you’re a technical professional, yes, yes, yes, because I need to get this document open. The user opens that document, they enable the macro and then it will go off in the background. It’ll download it silently. The obvious ones are when they do launch the virtual box with immediate malware.
The other one which we’ll see more common inside the network, which is a little bit more terrifying is where it doesn’t go and encrypt your files. What it does is it will spin up that virtual box and it doesn’t – it’s not limited to virtual box. That’s the biggest target at the moment, but any virtual machine. They now have a machine running inside your perimeter. They now have TeamViewer installed on that machine, go to assistance on that machine and they can connect to that machine, they can scan your network. They’re basically plugged into your lap. It’s this month’s flavor of attack. I mean, next month it’ll be something different. This month, it’s virtual box and virtual machine.
[14:29.6] CS: Okay. I mean, this is a fairly new and therefore, you’re probably scrambling to figure out solutions. I mean, apart from don’t click the link, are there any particular things that you’re working on to fight against this specific type?
[14:44.5] DJ: The virtual box, and my opinion has always been to default an eye. The days of looking for bad stuff is in my opinion, it’s stupid to rely on that. The way that a lot of businesses approach security is they will – it’s almost like saying, “I’m going to put three house alarms in my house. I’m going to have glass-breaking sensors, motion sensors and contact sensors. I’m going to put three different house alarms in, because I want more security, but they forget to put a lock on the front.” You walk in and take the TV and walk off the wall. Makes a lot of noise, but didn’t help them.
Our approach is quite simple. My thought on this is if you don’t allow virtual box in your environment, it can’t run and therefore, it’s not an issue. If you do want to allow virtual box, it should be an IT issue and it should be an IT decision, or a business decision at least and it should be contained on what that virtual box can access, so it can’t just be wide open.
[15:41.3] CS: Could be maybe – you could ask your IT department to let you use one for the session or whatever.
[15:47.3] DJ: Yeah. Most normal users are not using a virtual box on their machines, or hyper-V or vmware. The same applies for every other virtual technology. Well, any other technology is if you don’t need to run it, don’t let it run. Because applications, whether they are malware or just ware, they’re dangerous.
[16:04.7] CS: Yeah, and they’re wearing your computer down. Yeah.
[16:08.4] DJ: Every application you install becomes a potential portal into your data, into your infrastructure. If you’re running Zoom now, Zoom has the ability to access your files. That doesn’t mean Zoom will access your files and you’ve taken a business decision that you think the value of using Zoom outweighs the risk. When you’ve as a company, you have users downloading free software all over the place at different browsers unpatched and installing games, all of these applications become potential vulnerabilities on your system, whether it’s through malicious vendors, or whether it’s through just poor coding.
[16:44.3] CS: Right, right, right. Okay, well that brings us to the unofficial title of this episode, how your favorite apps can be weaponized against you. This is what we wanted to start talk about today. We’re talking specifically about well, apps across the way, whether it’s phone, or computer, or your work from home computer or whatever.
It sounds like settings and deciding what you won’t and will and won’t allow is a big part of what you’re saying the solution is. Can you give me some tips about apps and ransomware that you can impart to us about trying to avoid some of this?
[17:17.1] DJ: As a business, I would always say, restrict what can run. I use the word run, not install, because you don’t need to install something to steal your data. Restrict what can run. Make sure you’re only allowing Chrome extensions, or edge extensions, or Firefox extensions that you want in your business. I point that one out for a very good reason. If you use last password, you use a password manager, you know that when you go to log into your bank, ask do you want to save your password. That’s not a bad thing. You have that product and you’ve made that decision.
If LastPass can read that password off the page, so can Candy Crush, or that’s what I’m saying, well, any other coupon clipper or extension you use. Make sure you limit what you need. Ask yourself. I’m not saying don’t do anything, because you can always bury your computers in concrete and then they’re completely secure. Ask yourself, is there a risk versus the benefit? Is the risk worth the reward on installing this extension? Don’t just install things, because you think it looks cool, or it’s the trick of the day. That applies to applications and extensions. As a business, implement technology, implement whitelisting technology to say nothing runs without your consent.
The other thing you can do is when your applications are running, limit what they can do. We saw Zoom and this is the favorite attack of the quarter, I guess. The number of vulnerabilities out there, we published a few videos demonstrating some of them where attackers could send links to powershell. They could send links to malware. They could steal your credentials. If you limit what Zoom can do, so Zoom can’t call powershell, so Zoom can’t go out to the Internet and talk to unknown or untrusted network shares, or even your own network shares, so it can’t access your files. It means the likelihood of that attack being successful if someone does exploit that app, or the vendor does turn out to be a bad vendor is massively reduced.
We always say, take away what you don’t need, don’t install what you don’t need. As an IT professional, your job is to make sure your network is safe, not to be friends with everybody. When you do allow things to run, just limit their access. If you’re running, if you say, “Okay, we’re going to allow Angry Birds to run. We’re not going to let Angry Birds access my files.” There’s no business reason for that application to access your files.
[19:39.8] CS: We’re talking an audit of every single app that you’re using, especially on a work computer. Is there any guide that you guys have that suggests, because I think a lot of people hear this and they’re like, “I wouldn’t even know where to start making all those changes.”
[19:53.6] DJ: Of course, I’m the CEO of ThreatLocker, so I’m going to say the best way to do this is put ThreatLocker.
[19:59.4] CS: Say it away. Say it away, by all means.
[20:01.8] DJ: We don’t have a guide to what you should and shouldn’t run, because that depends on your business requirement. If you need TeamViewer in your environment, then let TeamViewer run. If you don’t need TeamViewer and we’ve seen that be weaponized on a lot of times, where – don’t let TeamViewer run. If you deploy ThreatLocker, it’s very easy. It just scans what you’ve got. It tells you what you’ve got. It gives you suggested policies on what they should access, so it can offer some powershell, can powershell access your network shares? Then it reinvents them appropriately. Then you let it learn for a week and then you decide to tweak anything you want.
Whether you use ThreatLocker, or whether you use one of the more just colonial type, I’m going to hard code this, I’m going to look at everything manually, I’m going to see what’s happening, it doesn’t matter from a security point of view. What matters is things don’t run that shouldn’t run. Then you’re not relying, or hoping that your antivirus is going to save today’s – pick up today’s draft.
[21:01.2] CS: Right. Okay. Let’s start talking worst case scenario. If heaven forbid you do get hit with ransomware, I’ve heard a variety of suggestions for dealing with the problem, ranging from just pay the ransom, to contact the authorities, to there’s certain forms online like NoMoreRansom who might be able to help you crack the issue on your own. If you were hit by a ransomware attack tonight, walk me through the steps you’d take to first mediate the damage and then come to a solution.
[21:26.1] DJ: It brings up the two types of ransomware. The one we hear about a lot, because companies aren’t necessarily embarrassed about sharing them and the one we don’t hear about a lot, which is almost a little bit more terrifying. The one we hear about a lot is the one that encrypts your files and says, “If you want your files back, pay the key.” I’ve seen businesses, I worked with an insurance company in Australia five years ago just before we started ThreatLocker and this company was taking out their backups to their databases, their SQL servers everything from ransomware. They did pay the ransom, they didn’t get the data back.
They didn’t go out of business. We managed to recover using disk recovery tools and it was a painful and extremely expensive experience for them. There’s that type and that’s pretty obvious. You know when you’ve been hit. Your screen’s red. They’re asking you for Bitcoin and you’ve got two choices; one is you restore from a reliable backup to get your data back. Now bear in mind, getting your data back doesn’t take the data off the attacker. They still have that data. They still have your files. They still have your customers orders and your credit card numbers, or they’ve just got everything you’ve got. It doesn’t undo that damage.
If you really believe these guys are going to be honest and not use that data, then there’s some naivety issues there too. In terms of what should you do, the best scenario is if you do get hit and if you do get hit you failed in your security. This isn’t something you want to be. Situating you have is to try and restore from a backup, make sure you’ve got backups. Take everything off the network. It doesn’t matter how small or insignificant this is is if you see one machine in your environment that has a red screen saying you’ve been encrypted, the first step you should do is go into your server room and pull the power at the back of your server.
It doesn’t matter how small you think it is, because you can’t undo that step. I’ve seen massive companies completely crippled over this. I would never suggest paying the ransom. That is a whole political argument of whether you should or shouldn’t. I’ve seen too many people pay and not get the data back.
[23:31.8] CS: I’ve heard also that they say it’s almost better to get someone who’s good at ransom than ransomware, than someone who’s an amateur, because the amateur might not even – they just send it out there and then they don’t really answer the call, or do the transaction, or whatever and it’s just very sloppy. Then exactly, you pay them and nothing happens.
[23:50.1] DJ: Yeah. I wouldn’t pay it. I would like to see legislation that stops government agencies paying it. We see three cities in Florida last year paid 2 million dollars in ransom. You may as well just draw on a big red target on every other city in Florida, because it means money. Yeah, it makes you easy money. We hit you and you’re going to pay us money. The two business I wouldn’t pay, one is it doesn’t guarantee you can get the data back and this money isn’t going to build orphanages. This is organized crime and it’s the terrorist groups and human trafficking. These are bad people that you’re paying money to.
If you’re making a decision to pay the ransom, be fully aware of what you’re doing. It’s easy for me to say that, because I’ve never been at the other end of a ransomware attack. As a business, sometimes you have to make hard decisions. I wouldn’t pay it. I would shut everything down, start bringing things on to iron, take the hard disk out of everything and copy all of the data that you have, make sure your backups are in a secure place. Do not plug your backups into a network without having copies of them, because you have to assume that the moment you plug in, you’re going to get recovered.
Build your network from the ground up again. Don’t assume that I’ve ran my favorite antivirus and it’s told me it’s clean, I’m clear, because it could sit there for another six months and then bite you again. If you do decide to pay and they give you the decryption keys and they unencrypt it, still go and rebuild all your systems, because they’re just going to leave a payload sitting on your system to do the same thing in six months’ time. The only thing is in six months’ time, your cyber insurance might not cover you.
[25:32.2] CS: Okay. Those are all things you should absolutely do. What are some things you absolutely should not do in the case of a ransomware attack? What are some of the worst things that you’ve seen people do, apart from pay the ransom?
[25:43.0] DJ: The worst thing is leaving the computers on. That’s the absolute worst thing. Trying to self-remediate without an IT professional and I don’t mean just the local it guy, because my grandson knows more about. He’s really smart with computers. Bringing in a proper professional who’s done proper remediation before and gone through these steps. If you bring in a proper company, they’re going to take everything off the network and they’re going to start introducing things one thing at a time. You absolutely shouldn’t – you shouldn’t do that. Make sure you stop – don’t use your computer until you know it’s clean, because you’ve been compromised. You’re just going to spread it even worse.
[26:30.3] CS: Okay. We always talk about this. Our show is called Cyber Work. We like to talk to the guests about career aspects of whatever they’re interested in speaking about. Malware’s pretty interesting as a thing and I know that there is careers in malware analysis and ransomware and so forth. Can you uh tell me a little bit about the career trajectory of someone who might want to start with analyzing malware and then moving up into higher positions, where you’re thinking about it in a more global or holistic sense?
[27:05.2] DJ: When you’re analyzing malware, you have to be careful not to pigeonhole yourself into specific areas, because really, to successfully analyze malware, it’s not about reading lines of code and decoding. It’s about understanding how systems are built, how infrastructure is built, how security is built. Then from there, you’ve got a general idea of what my network looks like, what a network looks like, what software, operating systems look like, how administrative permissions and privilege and permissions can change the outcome.
Then from there when you understand that, then you can analyze and say, “Oh, this is how it’s going.” If you’re looking for a career in stopping malware, malware’s not going anywhere, we know that. Make sure, it’s really about a career in understanding technology, understanding security and understanding infrastructure in general. Because understanding infrastructure only allows you to break down and stop threats, but it also allows you to understand how threats are created. You can see very quickly how I can get around someone’s security.
I’ve done a lot of white hat stuff, where I’ve shown people how you get around their security. You can only do that when you understand how people work, how people interact with technology, because that’s always going to be our weakness, how technology works, how vulnerabilities work, how operating systems work, how firewall ports work, how networks work, because that’s essentially how malware is getting into our environments and spreading and destroying or stealing our data.
[28:39.1] CS: Okay. Do you have any thoughts on certifications? Do you have any certifications yourself? Do you feel that they benefit your career, or is it just, you prefer people just start working on the actual skills that they need?
[28:54.8] DJ: That depends on a lot of things. I went through Microsoft certification when I was young. It never benefited me and that I already had a job in a high position. I went through it, because I was 20 – I think I was 20, 22, 21, I can’t remember years old. Then I had no college education and very high school education. It was important to show credibility.
We do look at certifications, but don’t weigh them too high. We’re generally trying to find someone’s interest and someone’s enthusiasm and ability to break down a problem and look at a problem. Having a certification helps you and it may give you a step up and whether you – now that doesn’t mean reading the content won’t help you, because a lot of these certifications build off content and that content is extremely useful in helping you understand the process.
Going through the courses, or going through the training sessions is always going to be good for you. The actual certification depends. If you’re very young and you have little experience and you’re trying to get your first job, it’s going to give you an edge over the guy who’s standing next to you, who is very young and got very little experience and no certification. As you get on through your career, nobody is asking you what certifications you have. They’re looking at the next step. It depends on a lot of things.
[30:22.2] CS: Okay. So especially for people who are just starting along those lines, but don’t have the wherewithal to get a cert at the moment, what are some other ways that you can present yourself as someone who is passionate and interested on a resume when you’re looking for your first job like that? What are some projects, or hands-on things, or freelance things that you should do that will show people, “I’m just getting started, but I have the goods.”
[30:46.9] DJ: Yeah. I think the storytelling of a resume is very good in a very short manner, because we’re only reading the first half a page. If you can get us past the first half of the page, that’s really interesting. Almost explaining some of your technical knowledge without writing it down into technical expression.
I always love those resumes, they jump out at me when I read them and say, “Oh, this guy has talked about how he’s used powershell to download a payload from the Internet and load it into register into protected memory.” That’s going to blow up. Now don’t just go and write that on your resume, because they’re going to ask you what that means.
[31:27.9] CS: Right. Oh, yeah. Be ready to show your homework.
[31:30.7] DJ: Yeah. We have a really long interview process. Our interview process, depending on what position you’re in, typically is about 16 hours. We’re going to give you homework and we’re to say, “Come back and we’re going to ask you questions. We’re going to ask you standard IT questions and we’re going to give you things to learn and see how well you learn them and see how well you understand them, both from a sales engineer point of view and an engineer point of view.” We have a really long interview process.
That’s how we weed out the good from the bad. It keeps us having to keep our staff in there below, because it means before we hire them, we know that this is the person. He’s the right person and it’s going to deliver for us. Not every company is the same. Some of the bigger organizations, they’re just looking at your college education, they’re checking boxes.
From our point of view, we do look at certifications. It may get your resume a little bit of the pile. Getting a good resume, talking about something on there that makes me read it twice, or makes our CRO read it twice, it’s always going to make you move forward. Not just on the resume, but when you send that resume in, if you send it through a LinkedIn, and if you can link in to CEOs and COOs and head of security, that’s a great thing to do. Just post content all the time and it gets our attention. Because we’re ultimately looking for the easiest people we can bring into the position with the least amount of effort.
[32:59.6] CS: Yeah. I mean, LinkedIn is is one of those things that for a lot of people is this background joke of, “Oh, join my LinkedIn page. It’ll be hilarious, or whatever.” Yeah, it’s worth noting, especially high-level people are reading their feeds and they’re really looking at people who are bringing interesting things to the table. Is that what you’re saying basically?
[33:17.6] DJ: Absolutely, because I can see more about you not from your profile on LinkedIn, but what you post. Bear in mind, that means don’t post anything dumb.
[33:29.7] CS: Yeah, and don’t just be a sheer monster. Yeah.
[33:32.7] DJ: Yeah. Post really good explanatory explanations on things. If you do reach out to people and it’s a great way for people to reach out to us. A lot of the resumes, we get through LinkedIn. If you do reach out to someone, reach out with something that means something. Not just, “Hi, please look at my resume.” Because everyone’s saying that same sentence.
[33:55.2] CS: Yeah, build a relationship a little bit.
[33:57.7] DJ: Yeah. If you can maybe read your sentence, it’s worth doing.
[34:01.6] CS: Yeah. Oh, totally. Yeah, your bio suggests that you really haven’t let a lot of grass grow under your feet. Some of our listeners might feel stuck in their current position and want to break out into a new area of study, or starting a startup, or making some other big career decision. What advice would you have for them about getting unstuck, or jumping up to the next level?
[34:23.3] DJ: By nature, I am an entrepreneur. I am risk taker. It doesn’t cross my mind when I move from company to company. I haven’t had short job cycles. The decisions I make, it doesn’t cross my mind, can I pay my mortgage next month? Sometimes in my life, I’ve been to the stage where I can’t pay my mortgage, but it has never stopped my career changing and ability. I’ve always moved forward and thankfully, my wife is very supportive of that as well. It’s worked out really well for us.
We’ve had tough times, we’ve had good times. It can be very scary to move. If you’re this way inclined, because if you’re not, it’s probably – security isn’t a job for you, because it’s a job that changes all the time.
[35:10.3] CS: Yes. Constant learning.
[35:11.5] DJ: Yeah, it is constant learning, constant changing and no day is ever going to be the same. We stand at the cliff edge constantly on. That’s where innovation happens. If you are looking for a – if you’re thinking about changing, it is a risk, it’s always going to be a risk changing position. Sometimes it means taking lower money, sometimes it means of course, if I don’t cut it, I’m not going to be in this job in three months’ time.
If you’re the sensible type and you’re going to work a 9 to 5 job and you’re going to punch your pay clock every week or every day, then the government’s a great job for you. If you’re a risk taker, you’ll do really well, if you can keep up with the pace.
[35:55.9] CS: Yeah. Okay, so wrapping up today, where do you see – I mean, it’s scary enough where it is right now, but where do you see malware and ransomware going in the coming years?
[36:04.8] DJ: Well, we know it’s going to get worse. We know it’s going to change. I think we’re going to start seeing and we’re seeing a big trend in this, less on the encryption side and more on the data theft side. We see this a lot in healthcare at the moment. We see it a lot in government agencies, in car dealerships, in IT theft and things like that, but we’re going to see that increase and we’re going to see it increase.
The worst thing about that is you don’t know you’ve been hit. Someone could be cycling data off your network, because somebody opening an e-mail attachment for six, eight, nine, 10 months and you don’t even know it’s happening until one credit card investigation links back to this car dealer, or this – your store, or your business that shows that 5,000 credit card numbers are being leaked, or 2 million dollars has been stolen off people’s cards.
You might not even know that for a year and then a year’s time someone’s going to knock on your door and tell you you’re responsible for all this loss and you’ll be – and it’s not just Home Depot, Home Depot and Target, they all make the news. This happens to small businesses, to medium businesses all the time. They’re just not worth – This is not newsworthy.
[37:22.3] CS: Yeah, do you have any advice for smaller, medium businesses to keep out of that mess?
[37:28.6] DJ: Yeah. If you’re a small business and sizes relative to the – If you don’t have a team of IT people and a good team with different skill sets, engage and manage their own provider. Find a good management provider. Ask them hard questions about how do you deal with this? How do you deal with this? How do you deal with this? A true and good manage service provider isn’t going to bundle you a bunch of tools and say, “Oh, we’re just reselling you the best security tools.” They’re going to give you policy, they’re going to help you enforce, they’re going to help you manage and they’re going to tell you what you sometimes don’t want to hear.
If you are a CEO, if you are an executive, you can’t have access to everything, you can’t have unchecked credentials on your network. That is the quickest way for you to go out of business. Listen to your managed service provider if you do get one, or your IT department if you’ve got an IT department. If your CISO, if your head of security, or head of IT, whatever the person is responsible for security isn’t annoying you, he or she is not doing their job. That is the job of the CISO.
[38:32.4] CS: That’s going to be the pull quote for this episode. All right, so that’s awesome. To wrap up things today, tell me – I mean, you told me a little bit about ThreatLocker, but tell me all about ThreatLocker. What are some current projects or initiatives that you’re excited about?
[38:46.6] DJ: We took a different approach to security when we came into the market. We wanted to bring the policy-driven approach there. Zero trust is today’s buzzword, but the default deny approach, if you like, of security away from just the big enterprise, the big banks, the department of defense. They’ve always engaged this type of technology forever, but they’ve also had unlimited resources. We wanted to take the problems of default deny and solve them, so smaller businesses could use them.
We’ve been extremely successful right in businesses, from local government, to healthcare, to managed service providers where we’re very successful in that space, providing small businesses security, to bring the zero trust approach down to them and by making it very simple and not being a huge job, because we essentially collectively help with the policies and the building up definition for you, so you don’t have to think about, “I don’t know what office needs to run,” because that office already thought about that for you.
[39:44.3] CS: Perfect. One last question, if our listeners want to know more about Danny Jenkins or ThreatLocker, where can they go online?
[39:49.6] DJ: The probably the best place is threatlocker.com.
[39:51.7] CS: Okay. Easy-peasy. Danny, thank you so much for your time and insights today.
[39:56.2] DJ: Thank you for having me, Chris.
[39:57.6] CS: Thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with InfoSec to check out our collection of tutorials, interviews and past webinars. You’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with InfoSec in your podcast catcher of choice.
Thank you for people who have been reviewing and rating us. If you wouldn’t mind, if you’re on iTunes or any other platform, give us a five-star and a write-up. We would absolutely love it. For a free month of our InfoSec skills platform that you saw in the promo startups today show, just go to infosecinstitute.com/skills and sign up for an account. In the coupon code, type the word cyberwork, all one word, all small letters, no spaces and you’ll get a free month.
Thank you once again to Danny Jenkins and thank you all for watching and listening. We’ll speak to you next week.
Cyber Work listeners get a free month of Infosec Skills.
Use code “cyberwork” to get access to hundreds of IT and security courses today.
About Cyber Work
Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.